The Importance of umask

This is subtle and covered in countless other places.  However, for the sake of it, this is a brief illustration of umask and its (non-)interaction with the "SGID" bit.  This can be especially relevant when setting up something like a Subversion server, with user access done via SSH.

I have created a directory called test.  It's empty, and owned by me and under the group svn (my default group).

admin@svnsrv:~/test$ ls -al
total 8
drwxr-xr-x 2 admin svn 4096 May 28 15:10 .
drwxr-xr-x 3 admin svn 4096 May 28 15:10 ..

I decide to use a different group, and I set the SGID bit so that all files and directories created under "test" will get the same group ID.  I also give group write permission.

admin@svnsrv:~/test$ chgrp sshusers .
admin@svnsrv:~/test$ chmod g+ws .
admin@svnsrv:~/test$ ls -al
total 8
drwxrwsr-x 2 admin sshusers 4096 May 28 15:10 .
drwxr-xr-x 3 admin svn      4096 May 28 15:10 ..

Now we can try making another directory.

admin@svnsrv:~/test$ mkdir foo
admin@svnsrv:~/test$ ls -la
total 12
drwxrwsr-x 3 admin sshusers 4096 May 28 15:10 .
drwxr-xr-x 3 admin svn      4096 May 28 15:10 ..
drwxr-sr-x 2 admin sshusers 4096 May 28 15:10 foo

As you can see, foo inherited the correct group ID, but did not inherit group write permission.  This is where umask comes in.  We first look at our current umask, and then set a new one:

admin@svnsrv:~/test$ umask
0022
admin@svnsrv:~/test$ umask 0002
admin@svnsrv:~/test$ mkdir bar
admin@svnsrv:~/test$ ls -la
total 16
drwxrwsr-x 4 admin sshusers 4096 May 28 15:10 .
drwxr-xr-x 3 admin svn      4096 May 28 15:10 ..
drwxrwsr-x 2 admin sshusers 4096 May 28 15:10 bar
drwxr-sr-x 2 admin sshusers 4096 May 28 15:10 foo
admin@svnsrv:~/test$ umask
0002

The latest directory was created with the right permissions.  It is important to note that permissions do not inherit (to the best of my knowledge), whereas ownership does.

umask itself is designed to mask out permission bits, so it is the logical negation of the permissions we want to ultimately allow.  This does not imply that files will be created with mode 775; rather, that if a file is created with 664, a mask of 002 will retain 664 whereas a mask of 022 will reduce permissions to 644.  Likewise, a file created 700 will retain 700 with both of these example umasks.  It is, exactly, a mask: applied as a logical AND (NOT mask).  It is not a mathematical subtraction.  As an exercise to the reader, look through this Wikipedia article for more info on permissions and then work out some examples by hand, applying masks using AND (NOT mask):

http://en.wikipedia.org/wiki/File_system_permissions#Symbolic_notation

And on that note, consider this final command and its result:

admin@svnsrv:~/test$ touch baz
admin@svnsrv:~/test$ ls -la
total 16
drwxrwsr-x 4 admin sshusers 4096 May 28 15:14 .
drwxr-xr-x 3 admin svn      4096 May 28 15:10 ..
drwxrwsr-x 2 admin sshusers 4096 May 28 15:10 bar
-rw-rw-r-- 1 admin sshusers    0 May 28 15:14 baz
drwxr-sr-x 2 admin sshusers 4096 May 28 15:10 foo

See?  No execute bits on that file, even though the umask is still 0002.

N.B. The initial zero is code for "octal."  In case you didn't realize we were using octal notation here...  In the big paragraph above, the modes themselves would be properly represented as 0775 etc.